CVE-2023-25690: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server. CVE-2023-27522: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Please bump to 2.4.56.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=491e42d2897839a8f980080579044f9dd97d818d commit 491e42d2897839a8f980080579044f9dd97d818d Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2023-03-11 08:56:36 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-03-11 11:17:46 +0000 www-servers/apache: add 2.4.56 Bug: https://bugs.gentoo.org/900416 Signed-off-by: Hans de Graaff <graaff@gentoo.org> www-servers/apache/Manifest | 1 + www-servers/apache/apache-2.4.56.ebuild | 259 ++++++++++++++++++++++++++++++++ 2 files changed, 260 insertions(+)
Cleanup done.
Curious as to why no GLSA has been created for CVE-2023-25690 or CVE- 2023-27522?
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c436d88493a5c8eec9b1f8a63799d35dd75d3372 commit c436d88493a5c8eec9b1f8a63799d35dd75d3372 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-09-08 19:12:28 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-09-08 19:18:31 +0000 [ GLSA 202309-01 ] Apache HTTPD: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/891211 Bug: https://bugs.gentoo.org/900416 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202309-01.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)